DevGuidance

Development tips, tricks and answers

Re: Web Service Access

by John Saunders [MVP] on 11/17/2007 12:30:00 PM "Asim" <Asim@discussions.microsoft.com> wrote in message
news:7E32CB24-BE64-4BD0-A41F-B466B7F8045C@microsoft.com...
> Hello,
>
> I have a question about restricting access to web services.
>
> We have public web services which are available for clients to request
> data,
> and we do have some private web services which expose some application
> functionality. We would like to restrict these web services to be only
> used
> by our core application.
>
> Are there any suggestions, best practices and/or patterns and practices
> for
> restricted access to private web services so that only permitted
> applications
> or code can access them?

Does authentication solve your problem, or are you looking for more than
that?
--
--------------------------------------------------------------------------------
John Saunders | MVP - Windows Server System - Connected System Developer


 

Re: Web Service Access

by John Saunders [MVP] on 11/18/2007 5:44:00 AM "Asim" <Asim@discussions.microsoft.com> wrote in message
news:E2F0D5C8-8E25-495C-B15A-2E8313D9CBD5@microsoft.com...
>I am looking for a way other than authentication. If we use
>authentication,
> then we are shifting the burden to implementation and IT teams.

I'm not sure that I fully understand, but if you want to limit access to
only particular applications, then there has to be some special "secret"
shared between those applications and the web services. If the application
presents the "secret" when it makes a request to the web service, then the
request is permitted; otherwise it is denied.

You might use something like XML Digital Signature. The applications could
be given certificates that they use to sign some data. The server would also
have access to the same certificates, and would use them to validate the
signed data. Only an application with access to the certificate (the secret)
could have used it to sign the data so that the server could validate it.
Yet, the certificate is not being sent across the network, and cannot be
inferred from the signed data.

Something like this can also be used to securely identify a client or
application, in a way that makes better sense than using IP addresses or
something else outside of the control of your application.
--
--------------------------------------------------------------------------------
John Saunders | MVP - Windows Server System - Connected System Developer